IntSights' Blog

5 Best Practices for Dark Web Threat Hunting

Tomorrow marks Halloween here in the U.S, where children (and adults too) dress up in costumes and go door-to-door collecting candy around their neighborhood. While many people will be disguising themselves tomorrow night, there’s a place online where people disguise themselves every day...the dark web. Hidden behind multiple layers of encrypted traffic and relays, threat actors operate online as different avatars to hide their true identity and coordinate their criminal activities.

While the Dark Web may not be a place you ever want to visit, it can actually be used as a rich source of threat intelligence. In the spirit Halloween, here are 5 best practices for how you can disguise yourself online to go undercover and hunt threats on the dark web.

Human Intelligence in the Threat Hunting Process

There are many sources of “intelligence” that can be used to identify potential cyber threats, including OSINT, SIGINT and SOCMINT. However, one that’s often overlooked is HUMINT (Human Intelligence), which can be defined as the process of gathering intelligence through interpersonal contact and engagement, rather than by technical processes, feed ingestion or automated monitoring.

HUMINT is all about uncovering the Who and the Why behind a cyberattack, and involves developing your own avatars that appear to be cybercriminals so you can engage with other threat actors online. It’s similar to how intelligence officers go undercover and establish sources to help thwart potential attacks or crime.

Threat actor engagement requires a very special set of skills and can be dangerous. But when done effectively, it can be your most valuable source of intelligence.

5 Dark Web Threat Hunting Best Practices

1. Take Personal Security Measures

Just like any undercover work, it can be risky when you engage directly with your adversaries. If your cover is blown, you immediately become a target, so you need to take the proper steps to protect yourself before you start developing your own dark web avatars.

Always use a clean virtual machine when visiting the dark web and don’t save anything to your device. If you are exposed as a threat hunter, hackers will try to hack you back. Therefore, you don’t want anything on your device that could lead back to you, your M.O., or your company.

2. Tell a Good Story

To develop your avatar, you need to have a strong backstory that’s believable. Come up with this backstory before you get started and do your homework. For example, if you claim to be a student, make sure you know what university you say you attend, have details about the campus, and are clear about what you’re studying there. Anticipate what questions you’ll get and make sure you have your facts straight.

3. Engage At All Hours

Hackers don’t work 9 to 5. They are active at all hours of the day, and usually most active at odd times. Therefore, you have to follow similar patterns to appear legitimate. Make sure you spend time logging in at all hours, including nights, weekends and even lunch time. Other threat actors take note of when you’re engaging online, so put the time in to give your avatars more credibility.

4. Use the Right Lingo

Hacker communities usually have a distinct form of communication. It’s important to get your slang right so that you don’t raise suspicion. Spend time studying various communities and getting a sense of their typical conversations and jargon so that you can fit right in. In addition, if you’re hunting threats in different languages or regions, you need to be fluent in that language, again to not raise suspicion. You will be sniffed out quickly if you can’t fit their slang.

5. Don’t Wait to Get Started

Avatars and sources take months or even years to develop. You can’t suddenly flip a switch and “boom”...you have sources. They need continuous work and development over time, and once established, can pay dividends in the long run. However, if you wait to get started, you’ll likely run into a circumstance where you wish you had dark web sources you could turn to.

Conclusion

When done appropriately and with the right precautions, human intelligence through threat actor engagement can be one of your best sources of intelligence. There are also a variety of tools/services you can leverage that provide intelligence and research on key threat actors and dark web chatter to help you complement your existing intelligence programs.

As millions of people dress up to celebrate Halloween this year, consider doing the same to engage your cyber-adversaries online, and turn the dark web from a trick...into a treat!

Nathan is a Senior Product Marketing Manager at IntSights, responsible for the company's positioning, messaging and content strategy. He has worked in IT and cybersecurity marketing for over 5 years, holding a number of different roles across product marketing, marketing programs and content marketing. In his free time, he enjoys staying active, being outdoors and following any and all Boston sports teams.

Revolutionizing cybersecurity with the first of its kind enterprise threat intelligence and mitigation platform that drives proactive defense by turning tailored threat intelligence into automated security action.